Real life challenges and configurations when implementing HCL Sametime v12.0.1 - DNUG Stammtisch Wien

Copyright © 2023 HCL Software Limited | Confidential
Ad08.
Real life challenges and configurations
when implementing
HCL Sametime V12.0.1 FP1
Engage 2023
Herwig W. “Wickerl” Schauer
Technical Lead - HCL Lab-Services Austria
Erik Schwalb
Technical Advisor – HCL Software Germany

Herwig W. "Wickerl"
Schauer
works as a Technical Lead at HCL Lab-Services and is based
in Austria.
Looking back at 25 years in the services business, being
with Lotus Professional Services as well as almost 20 years
at IBM Software Group Services.
He works at HCL Lab-Services since 2020 and currently
primarily supports several Austrian key customer accounts
through the Advanced Technical Services (ATS) program.
mailto:wickerl@pnp-hcl.com
@TheWickerl

Erik Schwalb
Working as a Technical Advisor at HCL Software in Germany,
Erik is responsible for consulting and sales of the HCL Digital
Solutions portfolio with a focus on Domino, Sametime and
Connections.
He has 30+ years of experience in various technical sales roles
at Lotus, IBM and HCL.
Erik started working with Sametime in version 1 and later
co-authored the Lotus Sametime 2.0 Deployment Guide.
More recently he created a Do-it-yourself monitoring solution
for HCL Sametime Meetings on Docker and keeps his hands-
on experience current by maintaining the HCL Sametime
Sandbox and several other Sametime environments.
Contact: erik.schwalb@hcl.com

.
.
.
.
Creating Truststores and
Keystores for Sametime

.
.
Sametime 12.0.1 requires PCKS#12 file format for Truststores and Keystores.
Due to security enhancements, PKCS#12 files created with newer versions of Java
will not work with older versions of Java !
Either use an older version of OpenJDK keytool (eg OpenJDK 8) or add the -J-Dkeystore.pkcs12.legacy
parameter when using newer versions of keytool !
Example for converting an existing PKCS#12 file to the desired file format:
keytool -importkeystore -srckeystore <existingkeystore.p12> -srcstoretype PKCS12
-srcstorepass <existingkeystorepassword> -destkeystore <sametimekeystore.p12>
-deststoretype PKCS12 -deststorepass <sametimekeystorepassword>
-J-Dkeystore.pkcs12.legacy
https://help.hcltechsw.com/sametime/1201/admin/t_create_truststore.html
Creating Truststores and Keystores for Sametime
It's all about PKCS#12, but ...

.
.
.
.
Securing connections between
Sametime servers and LDAP

.
.
1. Requires a properly created PKCS#12 truststore containing the TLS certificates of your LDAPs server.
We already learned about that earlier …
2. Requires specific TLS Ciphers to work correctly, ie for TLS1.2:
RSA_WITH_AES_256_GCM_SHA384 (0x009D)
RSA_WITH_AES_128_CBC_SHA (0x002F)
Sametime 12.0 TLS required ciphers to connect to Domino 12.0.2 LDAP
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0099644
https://help.hcltechsw.com/sametime/1201/admin/securing_connections_sametime_community_and_ldap.html
Securing connections between Sametime servers and LDAP
Important things to know

.
.
You can expand your configuration for your LDAP trustore with a tlsdlap.env file (as documented) or simply add the
required parameters to your custom.env file:
STI__Config__STLDAP_TLS_TRUST_STORE_TYPE=p12
STI__Config__STLDAP_TLS_TRUST_STORE_FILE=/local/notesdata/ldaptruststore.p12
STI__Config__STLDAP_TLS_TRUST_STORE_PASSWORD=<sametimetruststorepassword>
Important:
• STI__Config__STLDAP_TLS_TRUST_STORE_FILE
describes the path to your PKCS#12 file as seen by the community container, it does not refer to the path of the
file on the host system.
• File permissions
Ensure that your PKCS#12 file permissions are not restricted to root only, otherwise the community container
won't be able to read the file.
https://help.hcltechsw.com/sametime/1201/admin/securing_ldap_docker.html
Docker configuration

.
.
Change your docker-compose.yml to map your PKCS#12 file from the host system to the community container:
[...]
community:
image: hclcr.io/st/chat-server:${BUILD_LEVEL}
restart: ${RESTART_POLICY}
env_file: custom.env
environment:
- JWT_SECRET_ENV=${JWT_APP_SECRET}
[...]
networks:
- sametime.test
volumes:
- <sametimekeystore.p12>:/local/notesdata/ldaptruststore.p12
[...]
Important:
• <sametimekeystore.p12> describes the path to your PKCS#12 file on the host system.
Either use an absolute path or a relative path (relative to the directory containing your docker-compose.yml file).
• The right part of your volumes configuation (after the colon) must match the path as specified earlier
in the STI__Config__STLDAP_TLS_TRUST_STORE_FILE parameter.
https://help.hcltechsw.com/sametime/1201/admin/securing_ldap_docker.html
Docker configuration (cont.)

.
.
In a Kubernetes configuration the LDAP truststore is stored in a Kubernetes Secret.
kubectl -n <sametimenamespace> create secret generic <ldapsecretname>
--from-literal=KeyStorePassword=<sametimetruststorepassword>
--from-file=ldaptruststore.p12=<sametimekeystore.p12>
Important:
• <ldapsecretname> is the name of the secret you refer to in your values.yaml file.
The default value in the Sametime documentation is "ldap-secret".
• Have a closer look at the --from-file option:
The value after the first equal sign specifies the filename in the Kubernetes Secret (which has to be
"ldaptrustore.p12").
The value after the second equal sign specifies the path to the PKCS#12 file you want to import into the Secret.
So the file imported can actually have a name different than "ldaptruststore.p12".
https://help.hcltechsw.com/sametime/1201/admin/securing_ldap_kubernetes.html
Kubernetes configuration

.
.
Change your helm/values.yaml file to refer to your Kubernetes Secret and enable LDAPs.
global:
[…]
ldapHost: <ldapsfqhn>
# ldapPort: 389
ldapPort: <ldapsport>
# ldapTls: false
ldapTls: true
ldapConfigSecret: <ldapsecretname>
[…]
Remarks:
<ldapsport> specify your LDAP server's secure port. The default port for LDAPs is 636.
https://help.hcltechsw.com/sametime/1201/admin/securing_ldap_kubernetes.html
Kubernetes configuration (cont.)

.
.
.
.
Setting up SSO using LTPA

.
.
In real life scenarios you will have to deal with existing LTPA Keys, generated in other systems, eg
#IBM WebSphere Application Server key file
#Tue Jan 24 15:26:53 CET 2017
com.ibm.websphere.CreationDate=Tue Jan 24 15:26:53 CET 2017
com.ibm.websphere.ltpa.version=1.0
com.ibm.websphere.ltpa.3DESKey=T+mMs2ekH83ev0csh8FpwhFduUkonkB33/cGjIn+mR4=
com.ibm.websphere.CreationHost=connections
com.ibm.websphere.ltpa.PrivateKey=28mfdluonFfUPuZzX9RRScpfBQRJJ5Xan9m1SDLdpXwQAWqvDVIZCog9MF5ithR9NaAVYWVTaaToxVV6mWA0
XD+vfWmVumUtPfCjzPhOGS+gHetcqdPOQLmCkuaq0tvfZ8uaxhLttZ7pLCuKST7B9ogjks7bfOSOs3HDUl2tm1JRWLlnUiieE6Vd7dCOhqD/garvyzAD6Z
R9lxqEzi+kEQ68i9DprHxG+t4PqYT6ygQaEyLTYwTzBa96zrirdoDuL5sizQ9FqSc07lX4AnaLnRdR96l1jpuVW+l2uNoABIuxE7seFG2Mb8ratszaQd8d
OLcMFom3yeaSVKmCXXy31EbWs4V2AsvdXVoU8DL4xts=
com.ibm.websphere.ltpa.Realm=defaultWIMFileBasedRealm
com.ibm.websphere.ltpa.PublicKey=AKu1AHlIHCGpiwOKAMVaKqBGO8GikB7U3n7zMAb6O2E459Tm6vgMzChrnSmY4IY6U20VpkbXzirF4stoi2PMr
uC0DlktaeTXsMt7kfE6yCCMALi8xiB35hQoOJ4ktQi4YtIpBvBWtDCjbxGYZa0wmAK+0ovSUZUaKRIm0OqkxPtzAQAB
Important:
An existing LTPA Key, created in another system like Connections, might contain a different LTPA Realm than the default
Realm of WebSphere Liberty ("defaultRealm").
To integrate Sametime with existing LTPA configurations you also have to properly configure the Realm !
https://help.hcltechsw.com/sametime/1201/admin/enabling_sso_ltpa.html
Additional things to consider ...

.
.
Change your .env file:
ENABLE_LTPA=true
LTPA_KEYS_FILE_PATH=<ltpakeyfilepath>
LTPA_KEYS=/ltpa-config/ltpa.keys
LTPA_KEYS_PASSWORD=<ltpakeyfilepassword>
LTPA_REALM=<ltparealm>
Important:
• <ltpakeyfilepath> specifies the path to your LTPA Key file.
The actual file name does not matter.
• Do not change the value of the parameter LTPA_KEYS.
This is how the container refers to the LTPA Key file and must not be changed.
• If your LTPA Realm differs from the default name "defaultRealm", specify your existing LTPA Realm name in the LTPA_REALM variable as
<ltparealm>.
• You have to make additional changes to your docker-compose.yml for the configuring your LTPA Realm.
Change the value STI_ST_BB_NAMES_ST_AUTH_TOKEN in your custom.env file to
STI_ST_BB_NAMES_ST_AUTH_TOKEN=Fork:Jwt,Ltpa
https://help.hcltechsw.com/sametime/1201/admin/ltpa_configure_docker.html
Docker

.
.
If you had to specify a different LTPA Realm name, you have to change your docker-compose.yml as follows:
[...]
auth:
image: hclcr.io/st/meetings-auth.node:${BUILD_LEVEL}
volumes:
- ${LTPA_KEYS_FILE_PATH}:/ltpa-config/ltpa.keys:Z
environment:
[...]
- LTPA_KEYS
- LTPA_KEYS_PASSWORD
- LTPA_REALM
[...]
https://help.hcltechsw.com/sametime/1201/admin/ltpa_configure_docker.html
Docker (cont.)

.
.
In a Kubernetes configuration the LTPA Key File is stored in a Kubernetes Secret.
kubectl -n <sametimenamespace> create secret generic <ltpasecretname>
--from-file=ltpa.keys=<ltpakeyfilepath>
Important:
• <ltpasecretname> is the name of the secret you refer to in your values.yaml file.
The default value in the Sametime documentation is "ltpa-keys".
• Have a closer look at the --from-file option:
The value after the first equal sign specifies the filename in the Kubernetes Secret (which has to be "ltpa.keys").
The value after the second equal sign specifies the path to the LTPA Keys file you want to import into the Secret.
So the file being imported can have a name different than "ltpa.keys".
https://help.hcltechsw.com/sametime/1201/admin/ltpa_configure_kubernetes.html
Kubernetes

.
.
Change your helm/values.yaml file to enable LTPA, if required also specify your existing LTPA Realm:
global:
[...]
enableLtpa : true
ltpaRealm: <ltparealm>
[...]
Add the base64 encoded LTPA Key Password to helm/templates/sametime-secrets.yaml:
data:
[...]
LtpaKeysPassword: <ltpakeyfilepasswordbase64>
[...]
Remarks:
Calculate <ltpakeyfilepasswordbase64> by executing echo -n <ltpakeyfilepassword> | base64
where <ltpakeyfilepassword> is your plain text LTPA Key Password.
https://help.hcltechsw.com/sametime/1201/admin/ltpa_configure_kubernetes.html
Kubernetes (cont.)

.
.
.
.
Integrating with other
applications

.
.
Beginning with HCL Sametime 12.0 the legacy web-client is not enabled by default, but it can be enabled when
needed for integration with other products, eg HCL Connections, HCL Verse, …
Things to do:
• Enable (legacy) web-client integration
• Enable content security headers
See https://content-security-policy.com/frame-ancestors/ for details.
Remarks:
SSO is required for integrating with other products, ie LTPA or SAML.
https://help.hcltechsw.com/sametime/1201/admin/verse_integration.html
Integrating with other applications
Things to know ...

.
.
Enable the (legacy) web-client in docker-compose.yml:
[...]
proxy:
image: hclcr.io/st/chat-proxy:${BUILD_LEVEL}
volumes:
- proxy-workspace:/workspace/proxy-storage
environment:
- JAVA_TOOL_OPTIONS=-XX:MaxDirectMemorySize=64M -XX:MaxMetaspaceSize=192M
- SAMETIME_EXTERNAL_WARINTEGRATION=true
[...]
Enable content security policy by adding the following parameter to custom.env, eg:
[...]
CONTENT_SECURITY_POLICY=frame-ancestors https://*.<yourdomain.tld>
[...]
https://help.hcltechsw.com/sametime/1201/admin/verse_integration_docker.html
https://help.hcltechsw.com/sametime/1201/admin/verse_integration_contentsecurity_docker.html
Docker

.
.
Enable the (legacy) web-client in values.yaml:
global:
[...]
enableLegacyChatClient: true
[...]
Enable content security policy by adding the following parameter to values.yaml, eg:
global:
[...]
enableLegacyChatClient: true
contentSecurityPolicy: frame-ancestors https://*.<yourdomain.tld>
[...]
https://help.hcltechsw.com/sametime/1201/admin/verse_integration_kubernetes.html
https://help.hcltechsw.com/sametime/1201/admin/verse_integration_contentsecurity_kubernetes.html
Kubernetes

.
.
Branding
You can customize different elements of the Meeting Web UI
▪ Define a custom product / meeting service name
▪ Replace the Sametime product logo with your company logo
▪ Use a custom meeting background image
Custom branding can be displayed on the login page, on the meeting
home page, in a meeting, on the logout page and in meeting reports.

.
.
/images/branding in custom.env corresponds to ./sametime-config/web/branding
Adding corporate branding to Sametime Meetings on Docker
REACT_APP_PRODUCT_NAME=DNUG Lab Meeting Server
REACT_APP_PRODUCT_LOGO=/images/branding/dnug-lab-logo-large.png
REACT_APP_MEETING_BANNER_IMAGE=/images/branding/dnug-lab-logo-large.png
REACT_APP_PRODUCT_LOGO_URL=https://sametime.lab.dnug.eu/images/branding/dnug-lab-logo-large.png
REACT_APP_MEETING_BACKGROUND_IMAGE=/images/branding/dnug-background.jpg
Settings in custom.env
Also see https://alichtenberg.cz/how-to-change-corporate-branding-in-hcl-sametime-12-0-for-docker-step-by-step-guide
Alternatively, you can use a URL that points to an accessible image to specify your custom meeting background image:
REACT_APP_MEETING_BACKGROUND_IMAGE=https://mycompany.com/assets/theme.png
[root@sametime sametime]# ls -l ./sametime-config/web/branding
total 1848
-rw-r--r--. 1 root root 1825010 Dec 6 11:02 dnug-background.jpg
-rw-r--r--. 1 root root 7398 Dec 6 11:02 dnug-lab-large.png
-rw-r--r--. 1 root root 12221 Dec 6 11:02 dnug-lab-logo-large.png
-rw-r--r--. 1 root root 5703 Dec 6 11:02 dnug-lab-medium.png
-rw-r--r--. 1 root root 2977 Dec 6 11:02 dnug-lab-small.png
-rw-r--r--. 1 root root 30321 Dec 6 11:02 dnug-lab-xlarge.png

.
.
# Define your custom product / meeting service name
productName: <YourCustomProductName>
# Use a custom logo
productLogo: /images/branding/<your_logo_file>
# Use a custom meeting banner image
meetingBannerImage: /images/branding/<your_banner_image_file>
# Use a custom meeting background image
meetingBackgroundImage: /images/branding/<your_background_image_file>
Adding corporate branding to Sametime Meetings on Kubernetes
Specify your custom branding settings in the global: section of values.yaml
Alternatively, you can use an accessible URL that points to your custom logo and
custom images. Then you do not have to copy these files to the persistent volume:
productLogo: "http://mycompany.com/assets/<your_logo_file>"
https://help.hcltechsw.com/sametime/1201/admin/customize_kubernetes.html
## Custom branding settings begin
productLogo: "https://sametime.lab.dnug.eu/images/branding/dnug-lab-logo-large.png"
## Custom branding settings end

.
.
.
.
Migrating contact lists
(vpuserinfo.nsf)

.
.
Starting with HCL Sametime 12.0 contact list data is now also stored in MongoDb as Community and Proxy is now
containerized.
Existing contact list data stored in vpuserinfo.nsf
must be migrated to MongoDb.
Important:
• Required tooling is part of HCL Sametime since 12.0 (notes-migration.zip) and available for Windows and Linux.
• Supports HCL Sametime 9.x, 10.x and 11.x.
Prior versions are not supported due to outdated Java versions.
• Designed to be unzipped and run directly on the HCL Sametime Server.
• Be aware of limited character encoding capabilities for Mongo user and Mongo password.
Currently only %, @, :, /, ?, #, [ and ] are supported characters in the migration scripts provided.
https://help.hcltechsw.com/sametime/1201/admin/migrating_upgrading.html#ariaid-title4
Migrating contact lists (vpuserinfo.nsf)
What do you need to know ?

.
.
• The migration tool is designed to be unzipped into the Domino Program Directory.
• The notes-migration.bat script can only be executed out of the Domino Program Directory.
• Change notes-migration-user-input.txt to match your environment.
• If you specify a full path for NSF_PATH, either use or / as delimiter for the script to execute correctly.
• Run the notes-migration.bat script in an elevated ("Administrator") command window.
• Don't mind the "additional output" after successful execution... ;-)
Running the migration tool - Windows

.
.
Migration tool output - Windows

.
.
• The migration tool is designed to be unzipped into the Domino Binaries Directory.
• Change setenv.sh to match your environment.
• Source setenv.sh by executing: source ./setenv.sh
• Run the notes-migration.sh script by executing: ./notes-migration.sh
Running the migration tool - Linux

.
.
Migration tool output - Linux

.
.
Migrated contact lists in MongoDb

.
.
Sametime 11.5/11.6 supports MongoDb 3.5 or 4.2
Sametime 12.0 supports MongoDb 4.4 or later (on best effort)
Sametime 12.0.1 supports MongoDb 4.2, 4.4, 5, 6 or later (on best effort)
Upgrading HCL Sametime to 12.0.x or higher requires the migration of contact lists from vpuserinfo.nsf to MongoDb.
Given that requirement, you might also have/want to upgrade your existing MongoDb to a newer release.
https://www.mongodb.com/docs
Upgrading MongoDb
Considerations

.
.
Important:
Always follow the official MongoDb documentation for detailled upgrade instructions.
In-place upgrading a MongoDb ReplicaSet - in a nutshell:
• Upgrade the MongoDb binaries to next major release on all secondary.
• Step down the replica set primary to force an election of a new primary.
• Upgrade the MongoDb binaries on the stepped-down primary.
• Increment the feature compatibility version.
https://www.mongodb.com/docs/manual/release-notes/5.0-upgrade-replica-set
Upgrading MongoDb
In-place approach

.
.
Implement a new MongoDb ReplicaSet and migrate your data with mongodump and mongorestore.
Remark: It is recommended to restore to a matching major version.
Back up your databases with mongodump, eg:
mongodump --host=<oldmongohost>:<port> --username=<mongouser> --password=<mongopassword> --forceTableScan
--gzip --db=meeting --out /dump
--gzip --db=mobileOffline --out /dump
--gzip --db=chatlogging --out /dump
--gzip --db=userinfo --out /dump
https://www.mongodb.com/docs/database-tools/mongodump/
https://www.mongodb.com/docs/database-tools/mongorestore/
Upgrading MongoDb
Side-by side approach

.
.
Restore your databases with mongorestore, eg:
mongorestore --host=<newmongohost>:<port> --username=<mongouser> --password=<mongopassword> --drop
--noIndexRestore --gzip --verbose --nsInclude=meeting.* /restore
--noIndexRestore --gzip --verbose --nsInclude=mobileOffline.* /restore
--noIndexRestore --gzip --verbose --nsInclude=chatlogging.* /restore
--noIndexRestore --gzip --verbose --nsInclude=userinfo.* /restore
https://www.mongodb.com/docs/database-tools/mongodump/
https://www.mongodb.com/docs/database-tools/mongorestore/
Upgrading MongoDb
Side-by side approach (cont.)

.
.
.
.
Sametime Monitoring Dashboard

.
.
Sametime Statistics Monitoring
Provides statistics about chat and meeting services
via several HTTP endpoints
HCL Sametime You can
• collect
• store
• analyze
• visualize
the metrics from HCL Sametime
using any tools of your choice
Provides a docker-compose-monitoring.yml
file that creates a monitoring stack
Provides json files for Docker and Kubernetes
to build a Grafana dashboard
Run a monitoring stack based on
Prometheus and Grafana on the same
Linux host as your Sametime server
Create a Sametime monitoring dashboard
on a Grafana instance of your choice
(e.g. on prem or in the cloud)

.
.
Where to run the different monitoring components?
• On the Sametime server / K8s cluster or on a separate server?
• Do you also want to collect system and container metrics (CPU & RAM usage, diskspace left, etc.)?
How often do you want to collect metrics data?
• More often means more load on the Sametime server
• Keep in mind: You‘re NOT building a real time monitoring system!
• Hint: JVB stats are refreshed every 5 seconds
Where do you want to store the metrics data and how long do you want to keep it?
• A few hours…days…weeks…months?
➢ You may want to configure persistent volumes for Prometheus and Grafana
You need to make a few decisions

.
.
The Sametime services defined in docker-compose.yml and the monitoring services defined in
docker-compose-monitoring.yml run on the same Docker network.
➢ No need to expose any ports of the monitoring services to localhost except for Grafana
➢ No need to open firewall for any monitoring services ports except for Grafana port 3000
 Pull the cadvisor image from gcr.io, not from Docker hub.
HCL Sametime Monitoring Dashboard on Docker (1)

.
.
Modify docker-compose-monitoring.yml to enable https for Grafana
You can use the same TLS certificate as Sametime
Open https://SametimeServerFQDN:3000 and change default Grafana admin credentials
Other options
▪ Place a proxy server (e.g. built-in
nginx) in front of Grafana Web UI
▪ Configure LDAP authentication in
Grafana

.
.
The Sametime services defined in docker-compose.yml and the monitoring services defined in
docker-compose-monitoring.yml run on the same Docker network.
➢ In Grafana you can refer to Prometheus service name on port 9090 instead of http://host.docker.internal:9091

.
.
HCL Sametime Monitoring on Docker – Grafana Dashboard

.
.
The Sametime product documentation tells you to install kube-prometheus-stack that already includes Grafana.
➢ No need for an additional Grafana installation
Familiarize yourself with this stack before you install it !
• What’s included, how does it work, how to open Prometheus Web UI, etc.
• See values.yaml to find the initial admin password for Grafana (hint: “prom-operator”)
and learn about customization options
Accessing Grafana Web UI via kubectl port-forward is okay for the initial setup. For regular use of the dashboard(s)
you may want to consider other options to implement secure access to Grafana.
• Expose Grafana as a LoadBalancer service
• Create an Ingress for Grafana (also see values.yaml)
HCL Sametime Monitoring on Kubernetes
Also see https://www.youtube.com/watch?v=6xmWr7p5TE0

.
.
Register for the free of charge Deploying HCL Sametime Premium 12 on Kubernetes Self-Paced Workshop
and get step-by-step instructions in the Set Up Sametime Monitoring Dashboard chapter.
➢ https://hclsoftwareu.hcltechsw.com/hclsoftwareu-courses/course/sametime-on-kubernetes-self-paced
HCL Sametime Monitoring on Kubernetes

.
.
.
.
Integration with Let’s Encrypt

.
.
Sametime 12.0.1 on Docker can request, retrieve and apply a TLS certificate from Let’s Encrypt.
It will also automatically renew the TLS certificate before it expires.
The built-in integration is based on the ACME protocol (Automatic Certificate Management Environment) using an
HTTP-01 challenge to verify, that you are the owner of the requesting website.
1. ACME server (= Let's Encrypt) sends a challenge to ACME client (= NGINX service in Sametime)
2. ACME server will ask via in-bound HTTP request on port 80 for the “secret” at a well-known URL
➢ The FQDN of your Sametime server must be registered in public DNS
➢ Your Sametime server must be accessible on the public Internet via http port 80
Integrate Sametime on Docker with Let’s Encrypt
The built-in integration is currently broken in 12.0.1 FP1

.
.
# Exposed HTTP port
HTTP_PORT=80
# Exposed HTTPS port
HTTPS_PORT=443
# Redirect HTTP traffic to HTTPS
# Necessary for Let's Encrypt, relies on standard HTTPS port (443)
ENABLE_HTTP_REDIRECT=1
# Let's Encrypt configuration
# Enable Let's Encrypt certificate generation
ENABLE_LETSENCRYPT=1
# Domain for which to generate the certificate
LETSENCRYPT_DOMAIN=<your.sametimeserver.com>
# E-Mail for receiving important account notifications (mandatory)
LETSENCRYPT_EMAIL=<YourAdminEmailAddress>
# Use the staging server (for avoiding rate limits while testing)
# LETSENCRYPT_USE_STAGING=1
Integrate Sametime 12.0.1 on Docker with Let’s Encrypt
Settings in .env
If you set up the integration for the first time, make
sure to test it first with the Let’s Encrypt staging
service enabled!

.
.
nginx:
image: hclcr.io/st/meetings-web:${BUILD_LEVEL}
ports:
- '${HTTP_PORT}:80'
- '${HTTPS_PORT}:443'
...
environment:
...
- LETSENCRYPT_DOMAIN
- LETSENCRYPT_EMAIL
- LETSENCRYPT_USE_STAGING
...
Settings in docker-compose.yml
# Example: PUBLIC_URL=https://sametime.company.com
PUBLIC_URL=https://<your.sametimeserver.com>
Settings in custom.env
A setting for PUBLIC_URL can be found both in
.env and in custom.env.
Make sure you define a value for this setting only in
custom.env.
If you want to use the Let’s Encrypt staging service
you must also add LETSENCRYPT_USE_STAGING to the
environment variables of the nginx container.

.
.
The nginx container will use the ACME protocol to register an account with Let’s Encrypt.
If successfull it will then request and retrieve a TLS certificate.

.
.
The TLS certificate will be placed in a subdirectory below the ./sametime-config directory,
that is named after the FQDN of your server.

.
.
Sametime 12.0.1 on Kubernetes does not include built-in integration with Let's Encrypt. However, you can use
cert-manager to get a TLS certificate from Let’s Encrypt and use it with your Sametime deployment.
cert-manager adds custom objects such as Certificates, CertificateRequests and Issuers as resource types in
Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates.
• Install and configure cert-manager including CRDs
• Create Let's Encrypt ClusterIssuer for staging and production
• Edit the file ingress.yaml that is included with the Sametime helm charts and insert a new line with the string
cert-manager.io/cluster-issuer: "letsencrypt-staging" in the annotations section
When you then deploy Sametime, an ingress will be created as part of the deployment
and cert-manager will automatically provision a TLS certificate from Let’s Encrypt.
Integrate Sametime on Kubernetes with Let’s Encrypt
➢ https://cert-manager.io

.
.

.
.
Register for the free of charge Deploying HCL Sametime Premium 12 on Kubernetes Self-Paced Workshop
and get step-by-step instructions in the Prepare Deployment chapter.
➢ https://hclsoftwareu.hcltechsw.com/hclsoftwareu-courses/course/sametime-on-kubernetes-self-paced

.
.
.
.
Implementing and configuring
an internal STUN server

.
.
What is STUN ?
• Session Traversal Utilities for NAT (STUN) is a standardized set of methods, including a network protocol, for
NAT traversal of Network address transalation (NAT) gateways in applications of real-time voice, video,
messaging, and other interactive communications.
• STUN is a tool used by other protocols, such as Interactive Connectivity Establishment (ICE), the Session
Initiation Protocol (SIP) , and WebRTC. It provides a tool for hosts to discover the presence of a network
address translator, and to discover the mapped, usually public, Internet Protocol (IP) address and port number
that the NAT has allocated for the application's User Datagram Protocol (UDP) flows to remote hosts.
• The protocol requires assistance from a third-party network server STUN server located on the opposing public
side of the NAT, usually the public Internet.
Why do we need STUN ?
Simply put, we use STUN as a tool to help clients determine their public IP address so that they can connect to
each other and the Sametime Meeting Server to send and receive audio and video data.
https://en.wikipedia.org/wiki/STUN
https://help.hcltechsw.com/sametime/1201/admin/session_traversal_utilities.html
Implementing and configuring an internal STUN server
Things you need to know

.
.
1. Client 192.168.3.29 sends a STUN request through Router 192.168.1.1 to a STUN server outside the network,
listening on 108.177.15.127, using source port 5090.
2. Router 192.168.1.1 forwards the request to STUN server 108.177.15.127 and changes port 5090 to port 15090.
3. STUN Server 108.177.15.127 sends a response back to Client 192.168.3.29 through the Router with public
IP 144.77.11.213 specifying that the request was received from IP 144.77.11.213 and port 15090.
https://en.wikipedia.org/wiki/STUN
How does it work ?

.
.
Common reasons for implementing an internal STUN server
• Internal only deployment in a NAT network
• DMZ deployment, but internal clients are not allowed to send UDP traffic to public IP
• etc. ...
Important:
• HCL Sametime ships with Google STUN servers in the default configuration, ie
stun.l.google.com:19302,stun1.l.google.com:19302,stun2.l.google.com:19302
• The internal STUN server must not be installed on the same host running the Sametime JVB !
Considerations

.
.
yum install epel-release coturn coturn-utils -y
mv /etc/coturn/turnserver.conf /etc/coturn/turnserver.conf.orig
cat <<EOF > /etc/coturn/turnserver.conf
listening-port=3478
server-name=<stun.yourdomain.tld>
realm=<yourdomain.tld>
total-quota=100
stale-nonce=600
proc-user=coturn
proc-group=coturn
EOF
firewall-cmd --zone=public --add-port=3478/udp --permanent
firewall-cmd --reload
systemctl enable coturn
systemctl start coturn
Sample setup and configuration (RedHat)

.
.
Modify your .env file:
[…]
# STUN servers used to discover the server's public IP.
JVB_STUN_SERVERS=stun.l.google.com:19302,stun1.l.google.com:19302,stun2.l.google.com:
19302,<stun.yourdomain.tld>:<stunport>
[…]
eg
[…]
# STUN servers used to discover the server's public IP.
JVB_STUN_SERVERS=stun.l.google.com:19302,stun1.l.google.com:19302,stun2.l.google.com:
19302,stun.yourdomain.tld:3478
[…]
https://help.hcltechsw.com/sametime/1201/admin/configuring_stun.html
Docker

.
.
Modify your helm/values.yaml file:
global:
[…]
jvbStunServers: stun.l.google.com:19302,stun1.l.google.com:19302,stun2.l.google.com
:19302,<stun.yourdomain.tld>:<stunport>
[…]
eg
global:
[…]
jvbStunServers: stun.l.google.com:19302,stun1.l.google.com:19302,stun2.l.google.com
:19302,stun.yourdomain.tld:3478
[…]
https://help.hcltechsw.com/sametime/1201/admin/configuring_stun.html
Kubernetes

.
.
HCL customers with an entitlement for Sametime Limited Use can download HCL Sametime 12 from FlexNet.
The file Sametime_12.0.1_FP1.zip contains all server components for a “Chat-only” deployment of Sametime.
If you install that file on Docker or Kubernetes, the deployment will automatically configure the Sametime clients, so
that they only provide such capabilities, that are compliant with a Sametime Limited Use entitlement.
If your organization has both Sametime Limited Use and Sametime Premium users, you can deploy Sametime
Premium and configure multiple policies to make sure, that Sametime Limited Use users will be restricted to their
entitlement while Sametime Premium users can use all capabilities of Sametime.
• Modify the default user policy so that it allows only Sametime Limited Use capabilities
• Create a custom policy that allows Sametime Premium capabilities and assign it to your Sametime Premium
users
Set Up Sametime Limited Use

.
.
Modifying a user policy to allow Sametime Limited Use capabilities
Policy ID set this to Description
im.2019 current-value=1 requires this community to be the default, primary community
im.2011 current-value=0 disables the ability to add multiple communities to the installed Sametime client
im.2001 current-value=0 disables the ability to add external users via the Sametime Gateway
im.enableOrganizationTreeView current-value=0 disables the organization tree view
im.3000 current-value=0 disables the use of some integrated features of the client (e.g. Audio / Video)
im.2009 current-value=0 disables Screen Captures and Image Transfer
im.2005 current-value=0 disables client-to-client File Transfer
im.1 current-value=0 disables File Transfer through server
im.thirdPartyMeetingEnabled current-value=0 disables Instant Meeting invite ("Meet me here")
im.meetingsEnabled current-value=0 disables Sametime 11.6 or Sametime 12 Meetings
The file policies.user.xml is located in the /local/notesdata directory of the Sametime Community container.
Change the following settings in the default policy in policies.user.xml to allow only Sametime Limited Use capabilities.

.
.
Creating a custom policy for Sametime Premium users
Create a group in your LDAP directory, that contains your Sametime Premium users (e.g. "SametimePremiumUsers").
Create a custom policy in policies.user.xml with settings for your Sametime Premium users and assign it a weight,
that is higher than the weight of the default policy.
Example showing HCL Domino as the LDAP directory

.
.
Assigning a custom policy to Sametime Premium users
Assign the custom policy to the group, that you created for your Sametime Premium users.
assignment type="1" means you are assigning the policy to a group.

.
.
How to customize the policies.user.xml file in Sametime on Docker (1)
# Change to your Sametime directory
cd /opt/hcl/sametime
# Best practice: Create a separate directory for your customizations
mkdir custom-config
# Copy the file policies.user.xml from the Community container to your custom-config directory while Sametime is running
docker cp sametime_community_1:/local/notesdata/policies.user.xml custom-config/policies.user.xml
# Stop the Sametime server
docker compose down

.
.
How to customize the policies.user.xml file in Sametime on Docker (2)
# Modify the policies.user.xml file in your custom-config directory as needed
# Edit the file docker-compose.yml to mount your customized policies file to the community container
# Note: In the example below, we changed the file name of the customized policy to customized.policies.user.xml
# Start the Sametime server
docker compose up -d

.
.
How to customize the policies.user.xml file in Sametime on Kubernetes (1)
# Create a subdirectory for the customized policy and switch to this directory.
mkdir my-custom-policy
cd my-custom-policy
# Copy the existing policy files from the Community container to the current directory.
# You need to copy both files, even if you plan to update only one of the files.
kubectl exec -it <podID> --container community -- cat /local/notesdata/policies.user.xml >
./policies.user.xml
kubectl exec -it <podID> --container community -- cat /local/notesdata/policies.server.xml >
./policies.server.xml
# Modify the policy files as needed, then create a ConfigMap from these files.
kubectl create configmap custom-community-policy --from-file=./
# Modify the values.yaml file and add the following parameter to use the ConfigMap:
overrideCommunityPolicy: custom-community-policy

.
.
How to customize the policies.user.xml file in Sametime on Kubernetes (2)
# Change to the helm directory, run ‘helm upgrade’ and scale the Community pod.
helm upgrade <deploymentName> . # run this command from the helm directory
kubectl scale deploy community --replicas=0
# If you need to make further changes to your policies, update the policy files again, then recreate the ConfigMap and scale the
Community pod to apply your changes.
cd my-custom-policy
# Update the policy files, then run the commands below
kubectl delete cm custom-community-policy
kubectl create configmap custom-community-config --from-file=./

.
.
.
.
Q&A
SAML
TURN
MongoDB
on
K8s
12.0.1
FP1

.
.
You want to get in touch with implementing Sametime on Kubernetes ?
Get your “free copy” now ! … ;-)
HCL Sametime Premium 12.0 FP1 - Full stack Kubernetes Deployment
HCLSoftware U - Whitepapers
https://hclsoftwareu.hcltechsw.com

Widescreen PPT
template with
sample layouts
Please refer to the file HCL
Software_Widescreen-PPT_
Template_Instructions.pdf,
for the correct usage of
the template

[Title slide: v1]
<Heading>
<Subheading>
<Details of presenter>

[Title slide: v2]
<Heading>
<Subheading>

[Title slide: v3]
<Heading>
<Subheading>

[Title slide: v4]
<Heading>
<Subheading>

[Title slide: v5]
<Heading>
<Subheading>

[Title slide: v6]
<Heading>
<Subheading>

[Title slide: v7]
<Heading>
<Subheading>

[Title slide: v9]
<Heading>
<Subheading>

.
.
84
<Page Title> Delete rows as required <0>
<Subheading> Duplicate slide for additional layouts
<Page Title> <0>
<Subheading>
<Page Title> <0>
<Subheading>
<Page Title> <0>
<Subheading>
<Page Title> <0>
<Subheading>
<Page Title> <0>
<Subheading>
<Page Title> <0>
<Subheading>
<Page Title> <0>
<Subheading>
<Page Title> <0>
<Subheading>

.
.
.
.
85
[Section divider]
<0>

.
.
Select the required font using the {List Level} function to choose the relevant style. To access the pre-programmed
styles quickly, use the keyboard shortcut.
First level <Text>
Second level <Subheading>
▪ Third level <Bullet Level 1>
▫ Fourth level <Bullet Level 2>
– Fifth level <Bullet Level 3>
Tip: Use the keyboard shortcut to quickly select the relevant style
▪ To increase {List Level}: Select text then press {Tab}
▪ To decrease {List Level}: Select text then press {Shift+Tab}
86
<Source/Footnote>
[Title and content] First level <Heading>
Second level <Subheading> Filling the placeholder with text

.
.
87
<Source/Footnote>
Second level <Subheading> Filling the placeholder with content

.
.
Topic Content Person Responsible Timing
<Subject>
▪ Bullet level 1
▪ Bullet level 1
<Name> 0:00 a.m. – 0.00 a.m.
<Subject>
▪ Bullet level 1
▪ Bullet level 1
<Name> 0:00 a.m. – 0.00 a.m.
BREAK
<Subject>
▪ Bullet level 1
▪ Bullet level 1
<Name> 0:00 a.m. – 0.00 a.m.
LUNCH
<Subject>
▪ Bullet level 1
▪ Bullet level 1
<Name> 0:00 a.m. – 0.00 a.m.
<Subject>
▪ Bullet level 1
▪ Bullet level 1
<Name> 0:00 a.m. – 0.00 a.m.
88
Second level <Subheading> Filling the placeholder with a table

.
.
August September October November December January
8 15 22 29 5 12 19 26 3 10 17 24 31 7 14 21 28 5 12 19 2 9 16 23
Stage 1: <Stage description>
<Activity detail>
<Activity detail>
<Activity detail>
<Activity detail>
<Activity detail>
<Activity detail>
<Activity detail>
<Activity detail>
<Activity detail>
<Activity detail>
89
Timeline sample
Milestone

.
.
90
Timeline base sample
Select the table and in the {Layout} tab merge cells to create the
relevant months. Copy and paste text from previous slide if relevant.
Milestone

.
.
Series 1 Series 2 Series 3 Series 4 Series 5 Series 6
91
Chart samples
Adapt charts to visually replicate the below samples
<Heading>
Copy and paste this text
placeholder onto your charts
if required.
0
1
2
3
4
5
6
Category 1 Category 2
Series 1 Series 2 Series 3 Series 4 Series 5 Series 6

.
.
01
<Heading>
<Text>
04
<Heading>
<Text>
02
<Heading>
<Text>
05
<Heading>
<Text>
03
<Heading>
<Text>
06
<Heading>
<Text>
92
First level <Heading>

.
.
Select the required font using the {List Level}
function to choose the relevant style. To access the
pre-programmed styles quickly, use the keyboard
shortcut.
First level <Text>
93
Second level style <Heading>
First level <Text>. Use as blocks of body copy
to form paragraphs on the slide. Use as blocks
of body copy to form paragraphs on the slide.
<Source/Footnote>
[Title and two content] First level <Heading>
Second level <Subheading> Filling both placeholders with text

.
.
94
shortcut.
First level <Text>
<Source/Footnote>
Second level <Subheading> Filling placeholders with an image and text

.
.
95
Select the required font using the
{List Level} function to choose the
relevant style. To access the pre-
programmed styles quickly, use the
keyboard shortcut.
First level <Text>
<Source/Footnote>
Manually adapting the width of the placeholders using the grid and filling with an image and text

shortcut.
First level <Text>
96
<Source/Footnote>
[Text and image] First level <Heading>

.
.
97
1
[3 stats and image] <Text>
2
<Text> The number of
the stat can be manually
changed by retyping
3
<Text>

.
.
98
[4 column icons] First level <Heading>
<Text>
<Heading>
<Text>
<Heading>
<Text>
<Heading>
<Text>
<Heading>

.
.
99
[4 column icons] First level <Heading>
<Text> The icons above can
be copied and pasted where
relevant.
<Heading>
<Text>
<Heading>
<Text>
<Heading>
<Text>
<Heading>

.
.
100
<Source/Footnote>
[Title only] First level <Heading> Add elements as required,
use the grid to create the layouts

Real life challenges and configurations when implementing HCL Sametime v12.0.1 - DNUG Stammtisch Wien

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Real life challenges and configurations when implementing HCL Sametime v12.0.1 - DNUG Stammtisch Wien

Similar to Real life challenges and configurations when implementing HCL Sametime v12.0.1 - DNUG Stammtisch Wien (20)

More from DNUG e.V.

More from DNUG e.V. (20)

Recently uploaded

Recently uploaded (20)

Real life challenges and configurations when implementing HCL Sametime v12.0.1 - DNUG Stammtisch Wien